Securing the network by ensuring the right users, the right access, to the right set of resources is the core function of Cisco’s Identity Services Engine (ISE). ISE builds context about users (Who), device type (What), access time (When), access location (Where), access type (wired/wireless/VPN) (How), and most important threats, and vulnerabilities. All of these pieces of contextual data is fed into defining logical policy groups, called Scalable Group Tags, for every connected endpoint. These context-aware tags are then used to form the basis of security policies, centrally managed on ISE and enforced on different parts of the network in a traditional way or using the network fabric- as part of Software Defined Access (SDA).
Duo Security is highly aligned to our intent-based networking vision and strategy, and reinforces our existing ISE and DNA Center capabilities. Additionally, it will help accelerate the adoption of SDA, by extending policy into the cloud and by unifying network segmentation with cloud access control. We are bringing together application zero trust capabilities from Duo, with network zero trust capabilities from SDA, to create the industry's only comprehensive network and cloud access control solution.
“I have employees and contractors on my network. My objective is to securely connect these users by using MFA and then assign them a secure network policy by using ISE for segmentation. Employees and Contractor’s are on the same network but they cannot talk to each other. Employee’s get full access to my on-prem network resources or network resources in my data center, Contractors get limited network access.
Configure ISE’s web-based authentication portal as a protected application with Duo MFA. After successful 2FA, ISE grants users network access based upon Group-Based Policies.
Employees connect to the network and get a network policy with SGT=Employee
Contractors connect to the network and get a network policy with SGT=Contractor
Users connects and is redirected to ISE portal
ISE redirects the unauthenticated request to the Duo Access Gateway (DAG)
Because the ISE portal is a protected application, prompts the user for authentication
Users’s credentials are verified against Active Directory
DAG then sends notification for MFA
Users get a notification for DUO PUSH, Users click “Approve” on mobile device
DAG receives authentication success notification.
ISE receives response
ISE authorizes network access and pushes Employee or Contractor Scalable Group Tag (SGT)
As per SGT-based network policy, Employees and contractors are on the same Layer 2 network but cannot talk to each other (East-West segmentation/Microsegmentation)
Configuration Part 1: Protecting ISE web portal with Duo MFA
The Duo terminology “protecting an application” simply means that access to that application is redirected through the Duo Access Gateway. This redirection is necessary to add in second factor authentication before allowing application access (this assumes that network layer access is not restricted). In addition, the DAG can also enforce additional application policies such as checking the user, device, and network permissions specified by the DUO Administration panel.
Adding an application to Duo
Note:Before proceeding it is assumed that an identity source has been configured. If this step has not been done, please reference Duo Access Gateway for more details.
The steps below ties in the ISE Guest web portal as a protected application to add in the secondary authentication sequence with Duo PUSH. ISE Guest allows users to gain network access via a HTTP or HTTPS login. Duo Single Sign on will then initiate the 2ndauthentication back to the user via DUO push.
Log into your DUO Access Gateway
In the left side bar, navigate toApplications
Scroll down to the center of the page to the MetaData section and click “download XML metadata” and save the file
Log into ISE
Navigate toAdministration->Identity Management->External Identity Sources->SAML ID Providers
On the resulting window, starting from left to right, configure the settings within each tab menu item as follows:
In theGeneraltab, use “duoSAML” as the Id Provider Name
In theIdentity Provider Configtab,upload the xml file from Step 3
Skip theService Provider Infotab, you’ll come back to it later
In theGroupstab, select the user groups relevant to your authentication requirements
20. Scroll to the bottom and clickSave Configurationbutton and download the configuration file.
Add ISE Portal to Duo Access Gateway
21. Log in to the Duo Access Gateway
22. Navigate toApplications. Upload the .json configuration file from Step 20
Verifying ISE and DUO MFA
23. On ISE, navigate toWork Centers->Guest Access->Portals -> Components->Guest Portals
24. Click the linkSponsored Guest Portal (default)
25. Right click and copy the link for “Portal Test URL”
Paste the link address into a text editor
Change the link address from using the ISE IP to the ISE FQDN (include port 8443)
Note: These steps are to workaround an ISE defect
26. Paste the edited link into a browser. After successfully authenticating, you should see the following pop up
27. ClickContinue. This concludes the test
Finalizing ISE and Duo MFA Integration
In the steps below, you will enable web authentication so that users are redirected to the ISE Guest Portal to start the MFA process.
28. Log into ISE, navigate toPolicy->Policy Elements->Results->Authorization->Authorization Profiles
29. Create an authorization profile, such as “WebAuth Wired DUO”, with the following configuration:
30. Continue to scroll down withinCommon Tasksto select “Web Redirection”. Configure as follows:
32. Navigate toPolicy->Policy Sets
33. Expand the default policy set by clicking the>on the right of the screen
The resulting view will look like this:
34. ExpandAuthorization Policy. Add new policies that reference the SAML groups from Step 7. Also modify theDefaultpolicy to user the "WebAuth Wired DUO" profile rather than "Deny Access"
Note: Also disable the Basic_Authenticated_Access rule
Configuration Part 2: Securing Network Access with Micro-Segmentation
In the previous exercise you configured ISE and DUO to work together to secure the network connection process with Duo MFA. Now that the user is connected, in the steps below you will further secure network access using group-based segmentation. In the example below, the policy created will mitigate the spread of malware between Employees and Contractors.
Note: Some TrustSec configuration steps have been pre-configured. Please see the appendix for these details.
1. On ISE, navigate toWork Centers->TrustSec->TrustSec Policy
2. SelectADDin the policy matrix menu
3. Configure new policies as follows:
Note: The “Anti-Malware SGACL” contains rules that deny specific tcp and udp traffic. To review the rules contained within this SGACL, navigate toWork Centers->TrustSec->Components->Security Group ACLs
I have a new Firepower 1120 that is working today after some help from members of the community. I have found that all of my Windows systems running IPv4 have proper DNS records and can access URLs on the outside. But any device that is IPv6 d...
Anybody please help me to sort the issue with IPsec profiling in site to site VPN between Fortigate and Cisco rv042 .Since i haven't find any KBA article relevant to this topic.How i shall select the encryotion, hashing and DH group for both phase 1 and 2...
My company laptop will only access the internet when connected via Cisco AnyConnect VPN. I would like to be able to access the web without having to go through this VPN as it is highly restricting - yes, I am aware that it serves a purpose in filtering th...
Hello, Here's a simple topology: For the VLAN2, I'd like to allow only internet traffic. Here's the ACL:access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 80access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 443access-list 100 per...
I tried to create OSPF neighbors between Inside and dmz.As below topology, ASAv g0/1 connected to inside_2, g0/2 connected to dmzASAv g0/1 188.8.131.52/24ASAv g0/2 192.168.244.254/24Inside_2 e0/0 184.108.40.206/24， lo0 220.127.116.11/24dmz ...